The secret to online safety: Lies, random characters, and a password manager

This is a false dichotomy. Rather, password managers are not the only answer, but they are an answer, or a large part of the overall answer.

I emphasized "the" because apparently there is a big hard on for them among the techies here. Are they a part of a solution? Yes. But they are less of a solution for weak passwords than antiviruses are for virus protection.

<snip>

How do you figure that? As far as I can see, AV is playing cat and mouse. Password managers at least put you in front of the wave.

Not a smartass or snarky question - what is it with Ars' refusal to ever acknowledge Keypass in these kinds of articles? It's open source, free as in beer, there are ports for every OS worth mentioning, and some of us aren't keen on having our password locker plugged in to a web browser.

No conspiracy theories, just genuinely curious. The only apps I ever see any real discussion about are LastPass and 1Password.

It's in the article, though I had to reread it to catch it. I think it's the lack of convenience/built in functionality w/browsers. You can integrated with, say, Firefox extensions, but as I say above, I like it granular and stand alone. Less vectors of attack. A bit of convenience traded for a bit more security. I was disappointed in its lack of coverage, esp considering KP is also utterly free, cross platform and open source.

This is a false dichotomy. Rather, password managers are not the only answer, but they are an answer, or a large part of the overall answer.

I emphasized "the" because apparently there is a big hard on for them among the techies here. Are they a part of a solution? Yes. But they are less of a solution for weak passwords than antiviruses are for virus protection.

<snip>

How do you figure that? As far as I can see, AV is playing cat and mouse. Password managers at least put you in front of the wave.

Antiviruses update. Antiviruses come with the system. Ie, antiviruses are self-sustaining and require little input from the user to protect them. Password managers are an active system. Ie, bad for your average user.

I would be willing to use a password manager, even for my iPhone where the browsing experience is going to be completely terrible.

But what about the 'normals'? There's no way my wife is going to use ANY of these password apps. Even if I got her to, there's no way she's going to remember the 1 master password. She'll constantly need me to tell it to her over cell phone, text message, and e-mail. So there won't really be any way to keep the one master password secure either, at least not w/o being a major pain in the ass.

We just need to be done w/ passwords altogether and just require biometric fingerprint/iris authentication baked into the OS as a cross platform API. Of course, that'll never happen because even if Apple/Microsoft/Google implement this wonderful system it will be patented and limited to only their own products, meaning you'll have a different login system for your Android phone than your work PC than your tablet than your home PC, and we're all back to square one...

A local malware, though, now has an opportunity to steal your pass database and master pass simply with file upload and keyboard logging functionality, giving attacker all your passwords in one go.

I guess if you've been compromised that badly, your security was lax enough to let it onto your system in the first place. I don't mean that to sound like "I told you so", as it would be in a horrible state of affairs for anyone. I just feel if you cannot manage your perimiter defenses enough to stop malware encroaching your network then you really can't expect security on your passwords to have any affect. You may as well walk around screaming your passwords at strangers.

I feel I could write that analogy above better, but there isn't enough coffee and fryup's in the world to combat the hangover I have today. Sorry.

Even closely defended systems with tech savvy users get infected thanks to software being imperfect, not to speak about all those willing to run any executable attachment. After you've been infected, it only needs to live on your computer long enough for it to upload your pass DB and for you to type master password once.

I don't think this will be a huge problem as intersection of sets "password manager users" and "easy malware targets" can't be too big, but as it shouldn't be too hard to implement, I'd expect to see this functionality in malware. For spear phishing, getting master pass/db pair of the target would be a boon.

This is a false dichotomy. Rather, password managers are not the only answer, but they are an answer, or a large part of the overall answer.

I emphasized "the" because apparently there is a big hard on for them among the techies here. Are they a part of a solution? Yes. But they are less of a solution for weak passwords than antiviruses are for virus protection.

<snip>

How do you figure that? As far as I can see, AV is playing cat and mouse. Password managers at least put you in front of the wave.

Antiviruses update. Antiviruses come with the system. Ie, antiviruses are self-sustaining and require little input from the user to protect them. Password managers are an active system. Ie, bad for your average user.

Have you ever assisted a self-managed user? Because what you claim doesn't actually happen in the majority of cases.

How is the passphrase "canning grass apollo beatnick charming paraphernalia" more secure than a 6-character password? I say 6-character because this particular passphrase is 6 words.

From the previous article that ars wrote about cracking passwords, I was left with the impression that dictionary attacks were effectively a word-based brute-force attack; is that a misinterpretation of what a dictionary attack is?

How is the passphrase "canning grass apollo beatnick charming paraphernalia" more secure than a 6-character password? I say 6-character because this particular passphrase is 6 words.

From the previous article that ars wrote about cracking passwords, I was left with the impression that dictionary attacks were effectively a word-based brute-force attack. I imagined, maybe this is not the case, that 6 random words were just as effective as 6 random characters.

This is a false dichotomy. Rather, password managers are not the only answer, but they are an answer, or a large part of the overall answer.

I emphasized "the" because apparently there is a big hard on for them among the techies here. Are they a part of a solution? Yes. But they are less of a solution for weak passwords than antiviruses are for virus protection.

<snip>

How do you figure that? As far as I can see, AV is playing cat and mouse. Password managers at least put you in front of the wave.

Antiviruses update. Antiviruses come with the system. Ie, antiviruses are self-sustaining and require little input from the user to protect them. Password managers are an active system. Ie, bad for your average user.

Have you ever assisted a self-managed user? Because what you claim doesn't actually happen in the majority of cases.

How is the passphrase "canning grass apollo beatnick charming paraphernalia" more secure than a 6-character password? I say 6-character because this particular passphrase is 6 words.

From the previous article that ars wrote about cracking passwords, I was left with the impression that dictionary attacks were effectively a word-based brute-force attack; is that a misinterpretation of what a dictionary attack is?

I'm pretty sure, but the the set to brute force from is exceedingly larger.It would be 6 letters of what? A 95 English accessible character set? Maybe an extra 50 workable beyond that into expanded character lists if usable? As opposed to words which between proper nouns and words in the dictionary is going to run what? A minimum of 10000?

Another approach that occurs to me is scrambling keyboard input. That way I can have one master password that I type in for every site ("thisismypasswordanditisstrong") and it'd be relatively secure.

This would still require syncing your "scrambled" keyboard layout via some cloud-based service, but you're not requiring your cloud host to store passwords anymore; just the keyboard layout.

Your pre-defined scrambled keyboard layouts could transpose case and special characters too, and you could have different keyboard layouts for different sites.

Doesn't really have a major advantage over the products you've specified, save for the knowledge that the service that stores your keyboard layouts with can't possibly ever know your site passwords.

Also, I guess it doesn't work for storing credit card info; just passwords...

Yeah... don't do that

I'm not arguing that this is a good idea, but if you can define your own keyboard layouts, why is this problematic? Honest question.

Crackers already account for "keyboard walking."

Is that really a keyboard walk though? It sounded to me like it was a simple replacement table where, for example, "a" would become "$". Of course "a" would ALWAYS become "$" in this situation. But then each keyboard layout would be different.

So, in theory, you could set your ars password to be "arstechnica", but typed on this custom keyboard layout so that it comes out "x3)duq/5&b@"

Your Netflix password could be "NetflixForever" and you would use a different, random keyboard layout to come up with a completely different password.

Of course, I don't know how this works technically (it really just seems like a substitution table) and it seems much more complex than using a password manager. But it is more than a simple keyboard walk, right?

How is the passphrase "canning grass apollo beatnick charming paraphernalia" more secure than a 6-character password? I say 6-character because this particular passphrase is 6 words.

From the previous article that ars wrote about cracking passwords, I was left with the impression that dictionary attacks were effectively a word-based brute-force attack; is that a misinterpretation of what a dictionary attack is?

I'm pretty sure, but the the set to brute force from is exceedingly larger.It would be 6 letters of what? A 95 English accessible character set? Maybe an extra 50 workable beyond that into expanded character lists if usable? As opposed to words which between proper nouns and words in the dictionary is going to run what? A minimum of 10000?

You over estimate how users utilise their own anti-malware, and underestimate the benefits of password managers. While the server side security must be increased dramatically everywhere, as you say, until that happens the potential to minimise the fall out is dramatic. If only a small proportion were to take a password manager on-board the effect would be greater than the uptake of antivirus software.*

I'll take an active system over a completely ineffectual system. But your arguments - which may be technically correct - suggest to me that we should just keep the ineffectual system until the root cause is fixed 100%. Don't bother with password managers because they wont work for everyone. Fluoride doesn't work for everyone, but just a small token makes a significant difference.

* IMO, of course. As far as I could tell, antivirus software didn't do a thing to stem the tide of malware; system security did. A larger portion of users with more unique passwords for more sites... the only way is up.

I've migrated to KeePass and KeeFox for my password generation and securing for now. I have a number of main accounts (bank, Google, Ars) that are now 20-character random passwords. And I curse myself every single time I want to login while at work, having forgotten my USB stick with the password DB on it.

While it seems there are quirks to almost every sites' password entering mechanism (looking at you, Slashdot), on the whole it seems to work pretty well for me.

Now to get my SO to move over to this system for work and personal use......

I noted the following horrible security question prompts from a bank a few months ago. Sadly, far too many are like this:- "What is your favorite television show?" (because I'll never like something new)- "What is the first name of your youngest child?" (because I'll never have another child)

Security strength aside, I don't know why the manual-password-reset guys don't freak out about idiotic questions like this, given the number of times they must talk to people who are answering the questions correctly, but not consistently.

Pfff. You mean you didn't develop your own longhand cypher in high school to minimize the risk of cheating? Piece of paper pass. manager 4ever.

Yes, as a kid I was into codes/ciphers and invented several alternative alphabets. I "perfected" one that I still use to write down passwords and notes that I don't want someone else to be able to read. So my passwords are "backed up" in encrypted hand-written text.

I don't like the model of all eggs in one basket with a master password for several reasons. I am more afraid of not being able to access my passwords myself than of someone else getting them. I don't like the idea of losing or forgetting one password meaning I lose all my passwords. I don't like being dependent on a specific computer(s) with certain software installed, or needing a working internet connection (for some aspects of the model) to access my passwords.

TIP: If you need to log into something from a public computer, have another window open besides the browser. When you type in your password, type a character into the password box, then click in the other window and type a few random keys, click back to the password box and type another char or two of your password. Go back and forth between windows like this several times to foil keyloggers.

Hardly, I estimate antimalware systems are largely self-sustaining; therefore, I make zero estimation in how users utilize it because I am making an estimation that users don't actively utilize it at all.

Quote:

and underestimate the benefits of password managers.

You are confusing "benefits" with "mass adoption by average users." I have repeatedly said password managers are notably beneficial. If you believe my assertion incorrect that an active password management system will not be mass adopted by average users and is therefore not terribly beneficial for security for that reason, go ahead and explain why.

Quote:

While the server side security must be increased dramatically everywhere, as you say, until that happens the potential to minimise the fall out is dramatic. If only a small proportion were to take a password manager on-board

Except most people aware of and using password managers are already the section of users least likely to need them even without them.

Quote:

But your arguments - which may be technically correct - suggest to me that we should just keep the ineffectual system until the root cause is fixed 100%. Don't bother with password managers because they wont work for everyone.

My argument is we shouldn't read "password managers" and call it a day. Which looks to be what everyone is doing to me. "Password managers are a user solution to our current failure of security on the server side!" Sure they are, but only for techie users, at best. We can't keep focusing on a non-solution to the real problem. And based on all these threads about password security, the boner techies have for password managers is getting in the way of both seeing the major problems of password managers (an active, largely commercial, independent software system that has to be taken with you everywhere you use a computer) and looking for better solutions.

I must say, I just don't feel that threatened. Do passwords get cracked sometimes? Sure. Are the chances of someone breaking into an account greater than the chances of someone breaking into my house? Probably not. (I have no idea on the statistics, but that's my sense of the risk.)

The far more likely scenario is that I get into a situation where I need access to a site and can't get to it because I can't remember my password, can't access my password manager, etc. That's the scenario that I'm more inclined to optimize my workflow for.

I noted the following horrible security question prompts from a bank a few months ago. Sadly, far too many are like this:- "What is your favorite television show?" (because I'll never like something new)- "What is the first name of your youngest child?" (because I'll never have another child)

Security strength aside, I don't know why the manual-password-reset guys don't freak out about idiotic questions like this, given the number of times they must talk to people who are answering the questions correctly, but not consistently.

Those are far better security questions than "What is your mother's maiden name?" "What street did you grow up on?" "What's your father's middle name?" Those are all factual recorded data any moron can look up on Google.I prefer questions like "What was your first car?" "What's your favorite pet's name?" "Who's your favorite super hero?" because those are subjective and, while they can be looked up online if you don't secure your personal profiles or otherwise inferred, they can't be looked up on open records.

I noted the following horrible security question prompts from a bank a few months ago. Sadly, far too many are like this:- "What is your favorite television show?" (because I'll never like something new)- "What is the first name of your youngest child?" (because I'll never have another child)

Security strength aside, I don't know why the manual-password-reset guys don't freak out about idiotic questions like this, given the number of times they must talk to people who are answering the questions correctly, but not consistently.

Those are far better security questions than "What is your mother's maiden name?" "What street did you grow up on?" "What's your father's middle name?" Those are all factual recorded data any moron can look up on Google.

I dunno. You have to have some pretty specific information to start with to be successful with Google. (Although perhaps I feel a lot more anonymous than the average person, with "Smith" as a last name.)

And the name of a child is no more secure -- perhaps less so, depending on your public online profile.

Quote:

I prefer questions like "What was your first car?" "What's your favorite pet's name?" "Who's your favorite super hero?" because those are subjective and, while they can be looked up online if you don't secure your personal profiles or otherwise inferred, they can't be looked up on open records.

I hate "favorite" because I don't think as many people identify permanently with a "favorite" whatever as the security people seem to think. It has to be i) the obvious answer (not one of 3 or 4) and ii) unlikely to change.

"First car" and such I can live with, although it ought to specify a format ("Model of your first car..."), and some questions are pretty easy to guess anonymously (try "Corolla" for a fairly high success rate).

Are the chances of someone breaking into an account greater than the chances of someone breaking into my house?

Yes, they are much higher. Sites get hacked and lose their password databases all the time...

Citation?

Houses get broken into all the time. Just talk to an insurance salesman.

In both cases, there are so many possible targets that, even though it's a frequent event, I don't feel especially at risk. Doesn't mean I don't take any precautions, but I balance the risk against other concerns.

Are the chances of someone breaking into an account greater than the chances of someone breaking into my house?

Yes, they are much higher. Sites get hacked and lose their password databases all the time...

True, and the big problem for many people is they use the same few passwords everywhere -- to continue the analogy, it's like someone breaking into your house, and being able to steal your car, break into the backyard shed, your parents' house, and the bank you keep your money in, all at the same time.

So, the chances are much higher, and for most people, the affect is more severe. Why wouldn't someone want to use a password manager again?

Are the chances of someone breaking into an account greater than the chances of someone breaking into my house?

Yes, they are much higher. Sites get hacked and lose their password databases all the time...

Citation?

Houses get broken into all the time. Just talk to an insurance salesman.

In both cases, there are so many possible targets that, even though it's a frequent event, I don't feel especially at risk. Doesn't mean I don't take any precautions, but I balance the risk against other concerns.

When a burglar burgles your house he only burgles you, and it doesn't really affect you directly if he burgles your neighbor instead. With major sites getting hacked though, their entire user database (you and everyone else) get their passwords leaked frequently. If you use these sites, it means you're affected.

In a personal example, our house has yet to be broken into in the past 3 years, but LinkedIn was hacked (leaking my wife's password) and her Yahoo mail was hacked (ditto + she briefly became an unitting spammer). Even if our house is eventually burgled, it won't be w/ the recurring frequency of all these hacks...

Hardly, I estimate antimalware systems are largely self-sustaining; therefore, I make zero estimation in how users utilize it because I am making an estimation that users don't actively utilize it at all.

Where do you get this from?

Users have no antivirus installed or else two or more installed. Or they have turned it off so no monitoring. Or they have blocked updates. Or they have purchased 3 programs, never installed them and are still running the trial version of Symantec that doesn't update after 6 months.

The users that don't 'actively utilise' antivirus are either too scared to turn computers on, lazy or are supported by a functional IT department. I've never seen what you claim outside the enterprise market. Are a lot of users doing it correctly? Yeah but I doubt they are even close to a majority unless they are forced or unwitting.

Quote:

Quote:

and underestimate the benefits of password managers.

You are confusing "benefits" with "mass adoption by average users." I have repeatedly said password managers are notably beneficial. If you believe my assertion incorrect that an active password management system will not be mass adopted by average users and is therefore not terribly beneficial for security for that reason, go ahead and explain why.

Quote:

While the server side security must be increased dramatically everywhere, as you say, until that happens the potential to minimise the fall out is dramatic. If only a small proportion were to take a password manager on-board

Except most people aware of and using password managers are already the section of users least likely to need them even without them.

Quote:

But your arguments - which may be technically correct - suggest to me that we should just keep the ineffectual system until the root cause is fixed 100%. Don't bother with password managers because they wont work for everyone.

My argument is we shouldn't read "password managers" and call it a day. Which looks to be what everyone is doing to me. "Password managers are a user solution to our current failure of security on the server side!" Sure they are, but only for techie users, at best. We can't keep focusing on a non-solution to the real problem. And based on all these threads about password security, the boner techies have for password managers is getting in the way of both seeing the major problems of password managers (an active, largely commercial, independent software system that has to be taken with you everywhere you use a computer) and looking for better solutions.

Where do you get that people are saying get a password manager and call it a day? I have been seeing "I just need to run faster than you" and active propaganda to encourage others to run a bit faster for a bit longer.

Mostly it seems we agree, the current system is untenable. So I'm not going to argue most of the points you made. Where we differ is whether we try to keep others from failing completely or failing only in most areas. Will there ever be wide scale uptake? No, but it matters to everyone who stumbles only in a few places.

Quote:

"Passwords are a terrible system. I mean, passwords are awful," said Jeffrey Goldberg, Chief Defender Against the Dark Arts (yes, that's his real title) at AgileBits. His company makes a password management software called 1Password.

So why does Goldberg spend his career helping users manage passwords? As bad as passwords are, no one has come up with anything good enough to replace them across the whole Internet. Goldberg hoped for some 15 years that client certificates (digital signatures to identify users and Web services) would do the trick, but the technological and implementation barriers proved too great.

Today there is no good system. Agreed. We need to find a better system. Agreed.

But what about now? What do you propose? This is what password managers answer. Not perfect, not favourable... but it is there. It is at least some solution.

* Please, Please! note that passphrases are an active system such as you dismissed earlier.

...NoYou don't remotely understand what I meant by an active system. Despite the fact I was comparing them directly to antiviruses, which I was specifically calling passive systems.Perhaps you would care to try again?

* Please, Please! note that passphrases are an active system such as you dismissed earlier.

...NoYou don't remotely understand what I meant by an active system. Despite the fact I was comparing them directly to antiviruses, which I was specifically calling passive systems.Perhaps you would care to try again?

Well, no. Obviously I've stuffed up and thought a system that had to be instigated and maintained by the user could be considered an active system. I thought passive systems didn't require any action by the user to function correctly.

A password manager only works if you use it, and I couldn't commit to the user experience of a password manager until I found Dashlane. I feel Dashlane deserves a mention in this article, since it certainly compares to 1Password, LastPass and company.

Dashlane Dashlane provides a smart (and easy-to-use) cross-platform desktop app paired with great browser plugins and mobile apps for iOS and Android. Fully-encrypted syncing is built in (not a 3rd-party function), with the only key tied to your master password. Your private data can only be decrypted locally, with 2-step verification for any new devices. The company recently moved to a more mature business model of $20/year for synced service between 2 or more devices, but your first device is still a free place to start.

I've used Dashlane for a year and appreciated it as a brand new password manager built around secure syncing and a great application/plug-in experience. They are steadily improving their service and I'm impressed at how efficiently they respond to bugs and suggestions.

Unfortunately, Dashlane is now more expensive than LastPass or 1Password. Still, none of the other managers give me everything I want. I prefer a dedicated app (easier to maintain than a browser-based solution), built-in syncing (less worrisome than 3rd-party patches) and a good-looking easy-to-use UI (easier to learn and troubleshoot for the less technically-inclined).

Check it out!

I've been using Dashlane for the past couple months. I really like it so far, but what I don't like is the interaction I have with the company, or lack of interaction I should say. They don't have a forums and they don't respond to my rather simple question. "Are you all working on a Windows Phone app?" I have no intention of upgrading to the full version if they aren't working on releasing an app for Windows Phone. I know Lastpass has one so if in a few months Dashlane doesn't surprise me with some sort of post about a Windows Phone app in the works, I'm off to lastpass.

It makes the assumption that hackers have access to the password in some form (e.g. the MD5 hashes mentioned in the earlier article), then proposes creating passwords that are so complex that they cannot be cracked with using current techniques and hardware. Since those passwords are too complex to remember, password managers are proposed.

I can tell you exactly what will happen if password managers become commonplace: hackers will start focussing their attacks on the password managers. Once they have a viable attack on the password manager, they are going to have a comprehensive list of your account credentials. That means all of your accounts, not just one.

The reality is that the security has to be managed by the site in cases like this, and about the only thing that you can do to protect yourself is to use different passwords for different services (and to minimize how much the site knows about other services that you may use). The worse thing that you can do is open up additional vectors for attackers, which is essentially what a password manager is.

Don't know why this was downvoted so much. It makes sense to me, even if there are ways to guard against this.

It makes the assumption that hackers have access to the password in some form (e.g. the MD5 hashes mentioned in the earlier article), then proposes creating passwords that are so complex that they cannot be cracked with using current techniques and hardware. Since those passwords are too complex to remember, password managers are proposed.

I can tell you exactly what will happen if password managers become commonplace: hackers will start focussing their attacks on the password managers. Once they have a viable attack on the password manager, they are going to have a comprehensive list of your account credentials. That means all of your accounts, not just one.

The reality is that the security has to be managed by the site in cases like this, and about the only thing that you can do to protect yourself is to use different passwords for different services (and to minimize how much the site knows about other services that you may use). The worse thing that you can do is open up additional vectors for attackers, which is essentially what a password manager is.

Don't know why this was downvoted so much. It makes sense to me, even if there are ways to guard against this.

Because it would be a complete waste of time for them to go after password managers. Anyone who even remotely understands how well a password manager protects its password database knows how absolutely pointless it for someone to try and go after it. Even more-so with managers that have two-factor authentication, meaning even keyloggers are a moot point.

Nothing is 100% completely absolutely fool proof. But if you think a cracker would actually enjoy trying to decrypt my LastPass database, I have a bridge to sell you.

I use 3 factor authentication:2 factor + please deposit a bit coin or run this code until a bitcoin is generated to my account. Thank you, my secrets are all yours... except being able to withdraw from that account.

anyways the price to login increases by my balance + login attempts. No reset on that.

Something I noted when looking into cloud password managers is that LastPass uses your master password to both derive the encryption key and log you in. Firefox Sync separates the two and lets you set them independently.

Probably not a deal-breaker for most people but still interesting information.

Something I noted when looking into cloud password managers is that LastPass uses your master password to both derive the encryption key and log you in. Firefox Sync separates the two and lets you set them independently.

Probably not a deal-breaker for most people but still interesting information.

Your actual encryption key is derived from your password (hashed) combined with your account e-mail (hashed) and then hashed again. There's also a secret key that accompanies every single person's account that is held only on the LastPass servers. That key is also added to the hashed encryption key.

Point is, your encryption key is a combination of many variable, on top of one you don't even know, and it's hashed like 2-4 times.

At the risk of being cheeky, here's the solution I cobbled together from reading lots of these articles on Ars and elsewhere, and some creative thinking. Your (constructive only!) criticism is solicited:

First, I create and memorize a random string of characters. This has some uppercase, lowercase, numbers, and symbols. It's 6 characters long, which seems a decent balance between complexity and usability.

Then, I take that random string and use it as an infix in the site name to create the password. So for ArsTechnica, the password is ars[randominfix]technica. This particular password is 17 characters long. For sites like eBay, the password is "only" 10 characters.

So far as I can tell, this neatly solves the three needs of passwords: Be unique for each site, be easy to remember (and easy enough to type), and be long and random enough to be difficult to crack if stolen.

It's not perfect, of course. A dedicated attacker with one of my passwords would probably guess what I'm doing and apply it to other sites. But that requires an attack directly on me, not on [me as one of millions of hacked users]. And I think that, for the way I use the internet, it's secure enough. I don't have a third-party car alarm, bars on my house windows, or $100 padlocks on my bikes, because the "normal" locks and alarms are enough. This is my digital equivalent of "enough".

It's not that I don't trust password managers, and I may yet be convinced to use one. I just don't see how they offer much improvement on what I've been doing.

This could be broken by a dictionary + brute force attack. I now know that if I brute force this pattern: ars??????technica that I am, in effect, brute-forcing a six character password, which will fall in minutes. Ditto for e??????Bay, as well as alternates such as E??????BAY and 3??????B@Y.

Ok, just got back from kinko's where i laminated several password cards from passwordcard.org.

One set for my wife and me. One set for my brother and his wife. And one set for my parents.

The plus side: The complexity that comes with a password manager is avoided (although we also lose some of the convenience). I don't have to worry about cloud connectivity, i don't have to concern myself which platform I'm on, i can always have the passwords on my so that even in a situation where i can't access a password manager i still have my passwords (though, honestly, i can't think of a situation outside of work where that would be an issue), it was free (except for the cost of paper, ink, and lamination) and the passwords it generates are completely random and secure.

On the down side: I have to type in long passwords by hand (though it helps me to remember them), i can't store any data like notes or credit card numbers, and i am physically carrying around all my passwords in my pocket (though that really is a non issue).

On this last issue... the card is fairly secure because there is no real way to figure out what combination of symbols on the card are a password for any particular site, the card is not remotely accessible, and I'm very quickly aware if the card is stolen because i use my wallet all the time - if I get mugged, i know my password card is out in the wild. On top of that, I add a personal extra four characters to the code from the card so that even if someone got hold of my wallet, figured out what the card was for, managed to figure out which row, column, length, and direction equalled a password, figured out my login and what site to attack, they would still be four characters shy of what they needed to impersonate me.